7 Best Practices for Keeping Your Non-Profit Data Safe
By Ntiva Editorial Team on Nov 20, 2017

7 Best Practices for Keeping Your Non-Profit Data Safe

No question about it, donors are a nonprofit’s greatest asset. The last thing you want to worry about is the potential of your donor’s personal information being stolen or compromised.

We live in an age of constant cyber wars, with hackers always on the prowl. Unfortunately, nonprofits are top of their list as hackers assume with resources often stretched thin, nonprofits not putting much thought, energy or dollars into cyber protection.

For many nonprofits, a donor database compromise could mean at best, a stop to critical activities. At worst, this could mean a complete collapse of the organization if donors lose trust in their ability to keep personal data protected.


Given that reality, here are seven best practices for nonprofit data security:

  1. Different user names and passwords for each person who needs access to your database(s) and different passwords for each application. It is very important not to have a shared, universal password. With individual user names and passwords, you can control access and viewing permissions on a person-by-person basis. Further, should a particular user name and password be stolen, you limit the ability of that combination to get unauthorized access to other sensitive information.
  1. Multi-factor authentication for any server access. The most common type is two-factor authentication, which is a security process in where the user has to provide two authentication factors to verify they are who they say they are. This means a user name and password (what the user knows) and something the user has in their possession – such as ID card, a security token or a smartphone (what the user has.)
  1. If you use Microsoft SQL Server (MSSQL), disable the user “SA” that was created in the installation stage.This is a well-known account and is the most easily brute-forced user in MSSQL. Instead, create a separate administrative username and password and then make sure only your IT provider or your database administrator knows these credentials.
  1. If you accept donations online, make sure your servers are Payment Card Industry (PCI) compliant and that the database tables are encrypted. If you are not sure you are PCI compliant, there are many tools you can use that will scan and identify what needs to be fixed. Anything that is out of compliance means that it is a known vulnerability, allowing easier access to cyber terrorists and hackers.
  1. Make sure your servers are fully patched and up to date. New patches do more than fix bugs—they also correct known vulnerabilities. Using outdated software and/or not applying patches can lead to serious problems, making you much more susceptible to attacks and compromises. This process should be automated – humans forget!
  1. Do not forget about mobile devices. All your employees are carrying around powerful computers in their pockets and purses, with access to almost everything. IT security for today’s mobile employees is an important consideration. Every organization should create, document and enforce mobile device policies. Here are 3 quick tips to get you started!
    • Make sure employees have password protected their devices – and consider implementing a 6-digit password requirement to access your organization’s network
    • Don’t underestimate the importance of email security – whether on smartphones, laptops or workstations – consider encryption software as well
    • Look into Mobile Device Management (MDM) software, which will enable you to manage and protect all of your organization’s mobile devices

 You can read more on mobile device security here.

  1. Last but not least – data backup and disaster recovery. The risk of losing data from server failures, natural disasters and especially security breaches has never been higher. It’s critical to protect your organization’s mission with the right data backup and disaster recovery Do not leave your most precious resource – your donor data – to chance with an outdated or half-baked solution!

If you're interested in a "no obligation" consultation on how we can help your nonprofit with your cyber security strategy, contact us to set up an appointment and we'll be happy to explore your needs.